Block Ciphers II Martin Stanek Department of Computer Science Comenius University [email protected] Cryptology 1 (2021/22) Block Ciphers 1 / 26 , Content Confidentiality modes – ECB, CBC, OFB, CFB, CTR Padding Padding oracle attack Ciphertext stealing Authenticated encryption – CCM, GCM Other constructions Format-preserving encryption Encryption of block devices Theoretical security of block ciphers Block Ciphers 2 / 26 , Modes of operation I plaintext usually much longer than the block length I modes of operation can provide: I confidentiality (and not authenticity) ...“traditional” modes I authenticity (and not confidentiality) I confidentiality & authenticity (authenticated encryption) I confidentiality for block-oriented storage devices (e.g. disks) I key wrapping I format-preserving encryption, ... I varying requirements (speed, security properties, ability to parallelize, availability of RNG, etc.) ) different modes Block Ciphers 3 / 26 , Confidentiality modes I the most important confidentiality modes: ECB, CBC, OFB, CFB, CTR I e.g. see NIST SP 800-38A: Recommendation for Block Cipher Modes of Operation: Methods and Techniques I None of these modes provide protection against accidental or adversarial modifications of ciphertext! I however, the effect of ciphertext modification on resulting plaintext varies among modes Block Ciphers 4 / 26 , ECB (Electronic Codebook) P1 P2 P1 P2 Ek Ek Dk Dk C1 C2 C1 C2 encrypt: Ci = Ek (Pi) decrypt: Pi = Dk (Ci) I the simplest mode I data leaks: Ci = Cj , Pi = Pj I easy to rearrange the ciphertexts blocks (permute, duplicate, ...) I encryption and decryption trivially parallelizable I easy to perform a seek (random access) I bit changes do not propagate (single block affected) Block Ciphers 5 / 26 , CBC (Cipher Block Chaining) 1 P1 P2 P1 P2 IV IV (C0) (C0) Ek Ek Dk Dk C1 C2 C1 C2 encrypt: Ci = Ek (Pi Ci 1) decrypt: Pi = Dk (Ci) Ci 1 ⊕ − ⊕ − I IV (initialization vector) – secrecy not required, usually appended as C0 I popular mode (e.g. AES-128 CBC was mandatory in TLS 1.2, RFC 5246) I parallelizable decryption but not encryption I bit change in plaintext or IV propagates to the rest of the ciphertext I bit change in the ciphertext affects only two plaintext blocks Block Ciphers 6 / 26 , Visual comparison of ECB and CBC (AES-128) ?! ECB CBC Block Ciphers 7 / 26 , CBC 2 I “self-synchronizing” after losing a ciphertext block I similarly to ECB, plaintext should be a multiple of block length I padding, ciphertext stealing I IV should be unpredictable (e.g. IV = Ek ¹msgseqº, random, ...) I otherwise, in CPA scenario, an attacker gets an Ek ¹·º oracle I since C1 = Ek ¹IV ⊕ P1º, predictable IV allows him/her to adjust P1 I the attacker with Ek ¹·º access can test any plaintext block Block Ciphers 8 / 26 , CBC 3 I data leak (birthday & two-time pad): Ci = Cj ) Ek ¹Pi ⊕ Ci−1º = Ek ¹Pj ⊕ Cj−1º Pi ⊕ Pj = Ci−1 ⊕ Cj−1 I Sweet32 attack (2016): ciphers with block length 64 bits and large amount of data encrypted using the same key (TLS, OpenVPN) I 64 bit block ) collision expected after ≈ 232 blocks (32 GiB) I limit number of blocks encrypted with a single key Block Ciphers 9 / 26 , CFB (Cipher Feedback) IV IV Ci 1 Ci 1 (C0) − − (C0) Ek Ek Pi Ci Ci Pi encrypt: Ci = Pi Ek (Ci 1) decrypt: Pi = Ci Ek (Ci 1) ⊕ − ⊕ − I parallelizable decryption but not encryption; Dk not needed I bit change in plaintext or IV propagates to the rest of the ciphertext I bit change in the ciphertext affects only two plaintext blocks I self-synchronizing after full ciphertext block is lost I ciphertext block and its predecessor are needed to decrypt correctly I there is a variant for more granular losses Block Ciphers 10 / 26 , CFB 2 I plaintext length does not need to be a multiple of block length I IV should be unique for each plaintext I repeated IV: I two-time pad for the first blocks: 0 0 0 C1 ⊕ C1 = Ek ¹IVº ⊕ P1 ⊕ Ek ¹IVº ⊕ P1 = P1 ⊕ P1 I for constant IV we have an encryption oracle in CPA scenario; 2nd block (C2): C2 = Ek ¹Ek ¹IVº ⊕ P1º ⊕ P2 | {z } C1 0 0 choosing P1 = C1 ⊕ P1 ⊕ X and arbitrary P2 yields 0 0 0 C2 = Ek ¹Ek ¹IVº ⊕ C1 ⊕ P1 ⊕ Xº ⊕ P2 = Ek ¹Xº ⊕ P2 0 0 thus Ek ¹Xº = C2 ⊕ P2 Block Ciphers 11 / 26 , CFB8 variant of CFB mode and Zerologon I Zerologon (CVE-2020-1472, Tom Tervoort) compromising domain admin in AD I problems with cryptography in Netlogon protocol I AES-CFB8 I CFB8 mode (Pi and Ci denote bytes): C1 = Ek ¹IV »0 … 15¼º»0¼ ⊕ P1 C2 = Ek ¹IV »1 … 15¼C1º»0¼ ⊕ P2 C3 = Ek ¹IV »2 … 15¼C1C2º»0¼ ⊕ P3 … Ci¸1 = Ek ¹C»i − 15, … , i¼º»0¼ ⊕ Pi¸1 Block Ciphers 12 / 26 , CFB8 variant of CFB mode and Zerologon 2 I function in Netlogon implementation used all-zero IV (always) I consider all-zero plaintext I 1/256 of all keys lead to all-zero ciphertext I client authenticates by encrypting his own challenge with a session key I the attacker chooses all-zero challenge I session-key is unknown I the attacker succeeds with probability 1/256 I if unsuccessful try again (session-key will change since it depends on server challenge as well) I the attack require more than this, but this is the core problem Block Ciphers 13 / 26 , OFB (Output Feedback) IV IV (R0) (R0) Ek Ek Pi Ci Ci Pi Ri = Ek (Ri 1) − encrypt: C = P R decrypt: P = C R i i ⊕ i i i ⊕ i I synchronous stream cipher; Dk not needed I IV should be unique for each plaintext I neither encryption nor decryption can be parallelized I single bit change in plaintext/ciphertext causes single bit change in ciphertext/plaintext (easy to flip plaintext bits) Block Ciphers 14 / 26 , CTR (Counter) IV ctr IV ctr | | Ek Ek Pi Ci Ci Pi ctr++ encrypt: C = P E (IV ctr) decrypt: P = C E (IV ctr) i i ⊕ k | i i ⊕ k | I inputs to Ek should not overlap (otherwise ...two-time pad) I similar to OFB (synchronous stream cipher) I similar properties of changing ciphertext bits I easy to perform a seek (random access) I easy to encrypt and decrypt in parallel Block Ciphers 15 / 26 , Padding I ECB and CBC assume: n j jplaintextj (i.e. n divides the length of plaintext) I padding required (various paddings used): I bit padding – append 1 (always) and necessary number of 0’s: msg || 1000...0 I byte padding (PKCS #7, CMS (RFC 5652)): msg || 01 if n j jmsgj ¸ 1 msg || 03 03 03 if n j jmsgj ¸ 3 msg || 10 10 ...10 if n j jmsgj (for n = 128) I similarly for TLS 1.2 (RFC 5246): 00; 02 02 02; 0F 0F ...0F I padding ) |ciphertext| ¡ |plaintext| I padding should be verified after decryption I “stream” modes like OFB, CTR or CFB do not need padding I jciphertextj = jplaintextj Block Ciphers 16 / 26 , Padding oracle attack 1 I implementation issue I our assumptions: I CBC mode I we can recognize correct/incorrect padding, e.g. a server behaves differently (observable error, timing differences, ...) I goal: decrypt ciphertext block C, i.e. compute Y = Dk ¹Cº I the attack: I try ciphertexts (assume 16-byte block, X is a random 15-byte value): (X || 00) || C,(X || 01) || C,...,(X || 7A) || C, ..., (X || FF) || C, until we find a ciphertext with valid padding I probably the corresponding plaintext ends with byte 01, and we can compute Y15, e.g. (7A ⊕Y15) = 01 ) Y15 = 7B Block Ciphers 17 / 26 , Padding oracle attack 2 I the attack (cont.): I set the last byte of the first block to get 02 as the final byte of the plaintext: b ⊕ Y15 = 02, i.e. b = 79 I try ciphertexts (X is a random 14-byte value): (X || 00 || 79) || C,(X || 01 || 79) || C,..., (X || B2 || 79) || C, ..., (X || FF || 79) || C, until we find a ciphertext with valid padding (this time: 02 02) I we can compute Y14, e.g. (B2 ⊕Y14) = 02 ) Y14 = B0 ...similarly for other bytes I a variant used against SSL/TLS implementations (Lucky Thirteen, 2013) Block Ciphers 18 / 26 , Ciphertext stealing 1 I method of avoiding padding for CBC or ECB modes I ciphertext stealing for CBC mode encryption: Pn 1 Pn 0 ... 0 − || Ek Ek plaintext: … Pn−2, Pn−1, Pn 0 0 ciphertext: … Cn−2, Cn−1, Cn Cn 2 Cn 1 Cn − − Cn0 1 Cn0 x ... x − || Block Ciphers 19 / 26 , Pn 1 Pn 0 ... 0 − || 3 Dk Dk Cn 2 Cn 1 Cn − − Cn0 1 Cn0 − 1 2 Ciphertext stealing 2 I decrypting CBC ciphertext stealing: Pn 1 Pn 0 ... 0 − || Dk Dk Cn 2 Cn 1 Cn − − Cn0 1 Cn0 − 1 2 Block Ciphers 20 / 26 , Pn 1 Pn 0 ... 0 − || 3 Dk Dk Cn 2 Cn 1 Cn − − Cn0 1 Cn0 − 1 2 Ciphertext stealing 2 I decrypting CBC ciphertext stealing: Pn 1 Pn 0 ... 0 − || Dk Dk Cn 2 Cn 1 Cn − − Cn0 1 Cn0 − 1 2 Block Ciphers 20 / 26 , Authenticated encryption I modes providing confidentiality & authenticity of data I e.g. CCM (Counter with CBC-MAC), GCM (Galois/Counter Mode) I CCM (idea): I plaintext encrypted using CTR mode I authentication tag computed as CBC-MAC I authenticate-then-encrypt (single key is used) I two-pass scheme (two E transforms for each input block) m1 m2 mt IV Ek Ek Ek Block Ciphers 21 / 26 , Authenticated encryption – GCM I faster than CCM I simplified GCM: I single key is used I plaintext encrypted using CTR mode (starting with inc¹J0º, an 31 incremented “pre-counter block”, derived from IV, e.g.